AU1758701A - Method for secure function execution by calling address validation - Google Patents

Method for secure function execution by calling address validation Download PDF

Info

Publication number
AU1758701A
AU1758701A AU17587/01A AU1758701A AU1758701A AU 1758701 A AU1758701 A AU 1758701A AU 17587/01 A AU17587/01 A AU 17587/01A AU 1758701 A AU1758701 A AU 1758701A AU 1758701 A AU1758701 A AU 1758701A
Authority
AU
Australia
Prior art keywords
address
call
intercepted
library
routine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
AU17587/01A
Inventor
Oded Horvitz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CLICKNET SOFTWARE Inc
Original Assignee
CLICKNET SOFTWARE Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from IL13291599A external-priority patent/IL132915A/en
Application filed by CLICKNET SOFTWARE Inc filed Critical CLICKNET SOFTWARE Inc
Publication of AU1758701A publication Critical patent/AU1758701A/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • G06F9/4484Executing subprograms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/542Intercept

Description

WO 01/37094 PCT/USOO/30812 METHOD FOR SECURE FUNCTION EXECUTION BY CALLING ADDRESS VALIDATION FIELD OF THE INVENTION The present invention relates generally to a method for detecting and preventing unauthorized or illegal access attempts within a computer system. More specifically, the present invention relates to a method for detecting and preventing attempts to exploit the buffer overflow-related weakness within a computer system. BACKGROUND OF THE INVENTION This application is related to Israel Patent Application Number "METHOD AND SYSTEM FOR INTERCEPTING A APPLICATION PROGRAM INTERFACE" filed 14 November 1999. Modern computers are designed with the requirements of high-level languages in mind. The most essential technique for structuring computer programs introduced by high-level languages, is the procedure or the function. Procedures or functions are computer programs. A procedure call or a function call is a high-level abstraction that alters the flow of the calling program execution. In contrast with the more traditional "jump" or "goto" instructions, which also alter the flow of execution, a procedure or a function, after the execution of its own code, returns control to the instruction immediately following the call. To implement WO 01/37094 PCT/USOO/30812 procedure or function calls in the manner described, a memory device called a stack is utilized. A stack is a contiguous block of memory containing data. Its size is dynamically adjusted by the operating system routines at run time. The data is inserted to and removed from the stack by Central Processing Unit (CPU) utilizing Assembler language instructions such as "push" or "pop". The stack consists of logical stack frames or Procedure Activation Records that are inserted into the stack when a function is called and removed from the stack when the said function returns control to the calling program. The stack frame itself contains parameters to the called function, local variables, pointers to recover the previous stack frame, and the return address of the calling computer program. The return address is the instruction pointer of the calling program at the time of the function call. Induced buffer overflow or buffer overflow attack is known in the art. Buffer overflow attacks exploit the lack of bounds checking on the size of input being stored in a buffer array. Arrays are predefined allocated memory devices within a computer system: By writing data intentionally past the end of an allocated array, an attacker can make arbitrary changes to data stored adjacent to the said array. The most 2 VTmn-TqTTTYTY OYTE'T /"rT t iCi WO 01/37094 PCT/USOO/30812 common data structure to be corrupted in this fashion is the stack. Therefore this type of attack is also known as stack smashing. The prevalent form of buffer overflow exploitation is to attack buffers allocated on the stack. Such attacks attempt to achieve two mutually dependent objectives. One such objective is inserting an attack code in the form of an executable binary code native to the attacked machine. Another such objective is to change the return address to point to the attacker's supplied code now residing within said stack memory. Such attacker's supplied code may be utilized to gain enhanced privileges over said computer system. The programs that are attacked using this technique are usually high privilege utilities or daemons that run under the user-id root to perform essential services. The effect of a successful buffer overflow attack is to provide the attacker non-authorized root privileges. Gaining root privileges within a computer system allows non-authorized users access privileged resources. As the maximum length of the overflowing data string can be only the current depth of the stack, the inserted attack code should be short in terms of code length. Writing data outside the stack limit will result in an exception condition that will prevent the attack code to execute. Therefore, the buffer overflow attacker will be forced to write 3 WO 01/37094 PCT/US00/30812 short code and will have to use high-level System calls or Library calls. Such calls will later be utilized to gain non-authorized enhanced privileges to access privileged resources. Several strategies, which attempt to resolve the buffer overflow weakness, are known in the art. One such strategy is to design a compiler designed to prohibit a computer program from writing past a stack segment array. Another strategy is to detect buffer overflow vulnerable programs off line and alert the user to the possibility that the system privileges may be compromised. Another known strategy is using a repair program. The repair program can repair or fix those vulnerable programs that can be used to exploit the buffer overflow weakness. None of the above provide a method and apparatus for prevention of buffer overflow through controlled execution of system or other calls within a computer system. 4 t~wT~('Y'V ?W~~ CY1'1"Y /VV V V T' WO 01/37094 PCT/USOO/30812 SUMMARY OF THE PRESENT INVENTION Thus, there is a long felt need to provide a for detecting and preventing unauthorized or illegal access attempts within a computer system. More specifically, a method for detecting and preventing attempts to exploit the buffer overflow-related weakness within a computer system by validating system or other calls made within a computer system. It is therefore the object of this invention to provide a method for preventing induced buffer overflow attack by preventing execution of high-level System calls, Library calls, Application Program Interface call and the like when such calls are illegally made. It is therefore another object of the present invention to provide a method for preventing induced buffer overflow attack by preventing execution of high-level System calls, Library calls, Application Program Interface call and the like when such calls are made from unauthorized areas within a computer system. It is yet a further object of the present invention to provide a method for preventing induced buffer overflow attack by preventing execution of high-level System calls, Library calls, Application Program Interface call when such calls are made from outside the user process associated with said called system or other call. 5 WO 01/37094 PCT/USOO/30812 It is therefore provided in accordance with a preferred embodiment of the present invention a method of secure function execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept system calls, said method comprising the step of examining said intercepted system call validity by comparing said intercepted system call originating address with range of process valid addresses associated with said process from which said intercepted system call originated and providing notification as to the validity of said intercepted system call, or terminating said intercepted system call. It is further provided in accordance with a preferred embodiment of the present invention a method of secure function execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept system calls, said method comprising the step of examining said intercepted system call validity by comparing said intercepted system call originating address with range of process valid addresses associated with said process from which said 6 WO 01/37094 PCT/USOO/30812 intercepted system call originated and responsive to process creation inserting application program interface interception module into said created process and responsive to process creation updating process valid addresses table or responsive to process termination updating process valid addresses table. In accordance with yet another preferred embodiment of the present invention there is provided a method of secure function execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept library calls, said method comprising the step of examining said intercepted library call validity by comparing said intercepted library call originating address with range of process valid addresses associated with said process from which said intercepted library call originated and providing notification as to the validity of said intercepted library call or terminating said intercepted library call. In accordance with yet another preferred embodiment of the present invention there is provided a method of secure function 7 vr CTT1,1V ' Iy Vr T F ' WO 01/37094 PCT/USOO/30812 execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept library calls, said method comprising the step of examining said intercepted library call validity by comparing said intercepted library call originating address with range of process valid addresses associated with said process from which said intercepted library call originated and responsive to system call loading dynamic link library hooking and patching library routines associated with said dynamic link library and responsive to system call unloading dynamic link library updating process valid addresses table. In accordance with another preferred embodiment of the present invention there is provided a method of secure function execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to system and function calls, said system or function call intercepted, said method comprising the steps of receiving caller routine return address from said process 8 WO 01/37094 PCT/USOO/30812 memory device, determining whether caller routine address is valid by comparing said caller address routine with process valid address table and providing notification as to the validity of said caller routine return address or performing user predetermined acts associated with said validity of caller routine address. The same method further comprising the step of determining said caller routine calling address by determining the address preceding said caller routine address. In accordance with yet another preferred embodiment of the present invention there is provided a method of secure function execution within a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to system and function calls, said system or function call intercepted, said method comprising the steps of receiving caller routine return address from said process memory device, determining whether caller routine address is valid by comparing said caller address routine with associated process stack address area and providing notification as to the validity of said caller routine retum address or performing user predetermined acts associated with said validity of caller routine address. The same 9 t'TYT~trnVV t ? irYTVTY-9" f"T Tr Y'T WO 01/37094 PCT/USOO/30812 method wherein the step of receiving caller routine return address from said process memory device further comprises the step of determining said caller routine calling address by determining the address preceding said caller routine address. 10 cOTTTCOrT'T T'TT'Y Te Y'Y T' Y"TTT T' af WO 01/37094 PCT/USOO/30812 BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are incorporated in and constitutes a part of the specification, illustrate preferred embodiments of the invention and, together with the description, serve to explain the principles of the invention: Fig. 1 is a block diagram of the Secure Function Execution System environment generally referenced to as system 100; Fig. 2 is a high-level flow diagram of the Secure Function Execution Server 116 operation; Fig. 3 is a high-level flow diagram of the operation of the Secure Function Execution Server initialization module referred to in Fig. 2; Fig. 4 is a high-level diagram of Secure Function Execution Server or the like response to an intercepted system call referred to in Fig. 2; Fig. 5 is a high-level flow diagram of the operation of the 11 WO 01/37094 PCT/USOO/30812 Secure Function Execution Server and the like library call response module referred to in Fig. 2; Fig. 6 is a high-level flow diagram of the operation of the Calling Address Validation Routine module; Fig. 7 is a high-level flow diagram of the Calling Address Validation Routine module relating to an another embodiment of the present invention. 12 OcTTOCwqT'rTTrj Cixrrvr (DTrT X,'4 WO 01/37094 PCT/USOO/30812 DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS The present invention overcomes the disadvantages of the prior art by providing a novel method, which detects if an attempt to exploit the buffer overflow weakness is occurring by validating use of system or other calls within a computerized system. Reference is now made to Fig. 1, there is provided a schematic illustration of the system environment wherein the Secure Function Execution System is operating, generally referred to as system 100, in accordance with a preferred embodiment of the present invention. The present invention is related to Israel Patent Application Number XXXXXXX. "METHOD AND SYSTEM FOR INTERCEPTING A APPLICATION PROGRAM INTERFACE" filed 14 November 1999. As further described in detail in Israel Patent Application Number XXXXXXX, system 100 of Fig. 1 may comprise of four components of the Secure Function Execution System; a) Secure Function Execution Server 116 is an active component. Secure Function Execution Server 116 is the 13 TrTne-rrre curr-r rn"T r on WO 01/37094 PCT/USOO/30812 operational center of the Secure Function Execution System 100. Secure Function Execution Server 116 loads and controls System Call Interception Component 124, loads and controls API Interception Module 134, 140, and 146, responds to diverse system and library calls and acts as an interface towards the user. The Secure Function Execution Server 116 is loaded into the user space memory device 112 of a computer system. Secure Function Execution Server 116 incorporates the API Interception Control Server operations that were described in detail in Israel Patent Application No. XXXXXXX. b) API Interception Module 134, 140, 146 and the like are active components. API Interception Module 134, 140, 146 and the like operations are described in detail in Israel Patent Application Number XXXXXXX. API Interception Module 134, 140, 146 and the like consist of Dispatch Routine, Depatch Routine, Hook and Patch Routine, Pre-Entry Routine, and Post-Entry Routine. The operations of the said routines are also described in detail in Israel Patent Application No. XXXXXXX. 14 cTTDoo-TrTrrv ~vvr f~T (Y V' WO 01/37094 PCT/USOO/30812 c) System Call Interception Component 124 is an active component. System Call Interception Component 124 operation is described in detail in 'srael Patent Application No. XXXXXXX. d) API routine 132, 138, 144 and the like are passive components. API routines 132, 138, 144 and the like are potential objects upon which Secure Function Execution System 100 might operate. API routines 132, 138, 144 and the like are loaded into process address space memory device 118, 120, 122 and the like in user memory device 112 of system 100. System 100 previously described in Israel Patent Application number XXXXXXX serve as model for a Secure Function Execution System in which the present invention is operative. It will be appreciated by those skilled in the art that the present invention may operate under various similar systems and that the system shown herein is an example to further illustrate the working of the present invention. Referring to Fig. 2 there is provided a high-level flow diagram of the Secure Function Execution Server 116 operation. 15 WO 01/37094 PCT/USOO/30812 Secure Function Execution Server 116 was previously described in detail in Israel Patent Application Number XXXXXXX. The operation of said Secure Function Execution Server 116 would now be briefly explained. Secure Function Execution (SFE as it will be abbreviated from this point on in the text of this document) Server 116 initializes the application in step 150. Consequently SFE Server 116 commences its run-time operation in step 152 by constantly monitoring system calls made by diverse applications that run in the host operating system (step 152) and responding appropriately to the said system calls (step 154) as described in detail in Fig. 4. SFE Server is also constantly monitoring library calls made by diverse application that run in the host operating system (step 156). SFE Server responds appropriately to the said library calls (step 158) as described in detail in Fig. 5. Referring now to Fig. 3 there is provided a high-level flow diagram of SFE Server 116 start-up.operation referenced as step 150 of Fig. 2. SFE Server 116 start-up operation was previously described in detail in Israel Patent Application Number XXXXXXX. First SFE Server 116 loads System Call Interception Component 124 into kemel space memory device 114 (step 184). After 16 ~VflT~ TqTT'vT~ OYr~rI' DYIT M WO 01/37094 PCT/USOO/30812 establishing communication with System Call Interception Component 124 SFE Server 116 queries System Call Interception Component 124 for the list of active processes 118, 120, 122 and the like (step 186). Using the said list of active processes 118, 120, 122 and the like SFE Server 116 creates a list of valid address ranges for each active process 118, 120, 122 and the like. This structure will be referenced from this point on as Process Valid Address Range in the text of this document. Process Valid Address Range List holds the address range into which the process 118, 120, 122 and the like was loaded to. Process Valid Address Range also holds all the address ranges into which diverse Dynamic Link Library (DLL) 130, 136, 142 and the like were loaded. Dynamic Link Library is a set of callable subroutines linked as a binary image that can be dynamically loaded by applications that utilize them. Finally, SFE Server will insert API Interception Module 134, 140, 146 and the like to all active processes 118, 120, 122 and the like (step 19) as described in detail in Israel Patent Application No. XXXXXXX. SFE Server operation of monitoring system calls in step 152 17 "'TmcOT'"r'TT~r' 1, XVr r" T /f T Y''r WO 01/37094 PCT/USOO/30812 of Fig. 2 is described in detail in Israel Patent Application No. XXXXXXX. Turning now to Fig. 4 which is a high-level flow diagram of SFE Server or the like response to an intercepted system call, referred to as step 154 of Fig. 2. SFE Server 116 determines in step 160 whether the system call detected is an illegal call or a legal call. SFE Server determines whether said system call is valid by comparing said system call originating address with range of Process Valid Address associated with said process from which said system call originated. If illegal call was detected the SFE Server 116 may terminate the illegal function (step 164). Alternatively SFE Server 116 may notify a user (typically the System Administrator) about the illegal call (step 166). Alternatively, SFE Server 116 may perform another or other series of user predetermined actions. If the system call detected is legal (step 160) SFE Server 116 examines the said system call to determine if it is of the type of process creation (step 162). If and when it is determined that the system call of the type of process creation SFE Server 116 inserts API Interception Module 134 to the newly created process address space 118 (step 168) and updates Process Valid Address Range List (step 170) by adding 18 WO 01/37094 PCTIUSOO/30812 said process address list to Process Valid Address Range. If the decision in step 162 is negative SFE Server optionally performs any other user predetermined or instructed action (step 166). If and when it is determined that the system call of the type of process termination SFE Server 116 updates Process Valid Address Range List (step 171) by removing said process valid addresses range from Process Valid Address Range List. SFE Server operation of monitoring library calls in step 156 of Fig. 2 is described in detail in US Patent Application No. XXXXXXX. Turning now to Fig. 5 which is a high-level flow diagram of the SFE Server and the like response to an intercepted library call referred to as step 158 of Fig. 2. SFE Server 116 determines in step 172 if the library call detected is an illegal call. SFE Server determines whether said library call is valid by comparing said library call originating address with range of Process Valid Address associated with said process from which said library call originated. If an illegal call is detected SFE Server 116 optionally terminates the illegal library function (step 180). Alternatively, SFE Server 116 notifies a user (typically the System Administrator) (step 182). Alternatively, SFE 19 WO 01/37094 PCT/USOO/30812 Server 116 performs any other user predetermined or instructed action (step 182). If the library call detected is legal (step 172) SFE Server 116 determines if the said library call is of the type of DLL 130 load (step 174). If the decision in step 174 is affirmative than SFE Server 116 hooks and patches the library calls (APIs) 132 existing within said loaded DLL 130. Such hooking and patching is further described in detail in Israel Patent Application _. After hooking and patching said API Interception Module 134 already loaded into said associated process 118 is now operative to intercept calls made to said library calls 132. When determined that the library call is of the type DLL load SFE Server 116 updates Process Valid Address Range List (step 178) by adding DLL address rage into Process Valid Address Range List. If the decision in step 172 is negative SFE Server 116 determines if the intercepted library call if of the type DLL unload (step 176) by deleting DLL address range from Process Valid Address Range List. When it is determined that the library call is of the type of DLL unload SFE Server updates the Process Valid Address Range List (step 178). Reference in now made to Fig. 6 that is a high-level flow diagram of the operation of the Calling Address Validation Routine 20 y~~*CTTTY.IT T"r Yi' e WO 01/37094 PCT/USOO/30812 module. The Calling Address Validation Routine module may operate in conjunction with API Interception Module Pre-Entry routine as further described in detail in Israel Patent Application No. XXXXXXX. Pre-Entry routine may be activated when an API 132 or the like of Fig. 1 is intercepted. Operating under SFE System 100 Pre-Entry routine, Calling Address Validation Routine module is executing a set of instructions designed to validate the API function 132 of Fig. 1 calling address (caller Routine). Caller Routine also includes caller Application Program Interface, caller system call, caller library call and the like. Calling Address Validation Routine module commences its operation by reading the caller Routine return address from the Procedure Activation Record (stack frame) which is on the user stack segment (step 191). The stack frame is a dynamic area of the process stack segment used as a control area for function calls. The process stack segment is a dynamic area of memory belonging to a process. In step 192 the caller Routine calling address is calculated (step 192) and with the help of the data in Process Valid Address Range List it is examined if the said caller Routine calling address is within valid address range limits (step 194). In step 196 it is determined whether the calling address valid or non-valid. To calculate if said caller Routine calling address is within said valid address range limit said caller 21 YT1,T'T1TYq /Tr~ I T WO 01/37094 PCT/USOO/30812 Routine calling address is matched with said valid address range limit. If said caller Routine calling address is within said valid address range than caller Routine calling address is valid. Next, Calling Address Validation Routine module by Pre-Entry routine or the like notifies SFE Server 116 or the like about the test result (step 198 and step 200). It will be appreciated to by persons skilled in the art that in this illustrated embodiment of the present invention any unauthorized or illegal system call or library call originating from memory areas out of active process address space memory device 118, 120, 122 and the like of Fig. 1 will be detected and optionally their execution will be prevented by SFE System 100. Reference is now made to Fig. 7 which is a high-level flow diagram of the Calling Address Validation Routine module relating to an another embodiment of the present invention. In the embodiment thereof Calling Address Validation Routine module commences its operation by reading the caller return address from the Procedure Activation Record (stack frame) on the process stack segment (step 202). It will be appreciated that reading caller Routine return address is significantly faster and more accurate. In step 204 the caller Routine calling address is calculated and it is examined 22 mTT30TTTTV' CTTIVT /TnTT V "r\ WO 01/37094 PCT/USOO/30812 with the help of system-level structures to determine whether the calling address is inside the address limits of the process stack segment (step 206). Such determination is accomplished by comparing said caller Routine calling address with address limits of said process stack segment. Next, Calling Address Validation Routine module by Pre-Entry routine or the like notifies SFE Server 116 or the like about the result of the examination (step 210 and step 212). It will be appreciated by persons skilled in the art that in this further embodiment of the invention any unauthorized or illegal system call or library call originating from the process stack segment structure will be detected and optionally prevented by SFE System 100. Additional advantages will readily occur to the person skilled in the art. The invention, in its broader aspects is, therefore, not limited to the specific details, representative methods, systems and examples shown and described. It will be further appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the applicant's general inventive concept and the claims which follow. 2-a CTTTrFj1r TV ~rr' nDITI V '4

Claims (21)

1. In a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept system calls, a method of secure function execution, said method comprising the step of: examine said intercepted system call validity by comparing said intercepted system call originating address with range of process valid addresses associated with said process from which said intercepted system call originated.
2. The method of claim 1, further comprising the step of: providing notification as to the validity of said intercepted system call.
3. The method of claim 1, further comprising the step of: terminating said intercepted system call.
4. The method of claim 2, further comprising the step of: 24 t~vyu~ ~ I T.T C.T,"T/ Vr TV ft WO 01/37094 PCT/USOO/30812 terminating said intercepted system call.
5. The method of claim 1, further comprising the steps of: responsive to process creation inserting application program interface interception module into said created process; responsive to process creation updating process valid addresses table.
6. The method of claim 1, further comprising the step of: responsive to process termination updating process valid addresses table;
7. In a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to intercept library calls, a method of secure function execution, said method comprising the step of: examine said intercepted library call validity by comparing said intercepted library call originating address with range of process valid addresses associated with said process from 25 OTTDOTTTTTU Y11rr MTTT V' \ WO 01/37094 PCT/USOO/30812 which said intercepted library call originated.
8. The method of claim 7, further comprising the step of: providing notification as to the validity of said intercepted library call.
9. The method of claim 7, further comprising the step of: terminating said intercepted library call.
10. The method of claim 8, further comprising the step of: terminating said intercepted library call.
11. The method of claim 7, further comprising the steps of: responsive to system call loading dynamic link library hooking and patching library routines associated with said dynamic link library; responsive to system call unloading dynamic link library updating process valid addresses table;
12. In a computer system running an operating system platform, said operating system including a kernel space and a process space, 26 WO 01/37094 PCT/USOO/30812 said process space including a user application running in process space, said user application operative to system and function calls, said system or function call intercepted, a method of secure function execution, said method comprising the steps of: receiving caller routine return address from said process memory device; determining whether caller routine address is valid by comparing said caller address routine with process valid address table.
13. The method of claim 12, further comprising the step of: providing notification as to the validity of said caller routine return address.
14. The method of claim 12, further comprising the step of: performing user predetermined acts associated with said validity of caller routine address.
15. The method of claim 12, wherein the step of receiving caller routine return address from said process memory device further comprises the step of: determining said caller routine calling address by determining the 27 TTnTrrrrTTrr zurrT rDTTT r 7a WO 01/37094 PCT/USOO/30812 address preceding said caller routine address.
16. In a computer system running an operating system platform, said operating system including a kernel space and a process space, said process space including a user application running in process space, said user application operative to system and function calls, said system or function call intercepted, a method of secure function execution, said method comprising the steps of: receiving caller routine return address from said process memory device; determining whether caller routine address is valid by comparing said caller address routine with associated process stack address area.
17. The method of claim 16, further comprising the step of: providing notification as to the validity of said caller routine return address.
18. The method of claim 16, further comprising the step of: performing user predetermined acts associated with said validity of caller routine address. 28 OTDOm~r'Irr C-Vxxrrr fDTTy V 4 WO 01/37094 PCTIUSOO/30812
19. The method of claim 16, wherein the step of receiving caller routine return address from said process memory device further comprises the step of: determining said caller routine calling address by determining the address preceding said caller routine address.
20. The method of secure function execution as substantially described hereinabove.
21. The method of secure function execution as illustrated in any of the drawings. For the Applicant Soroker - Agmon, Law Offices
3025.16-8 29 CTw'TrrTT'rr CTxrrV'qr tTTIr r 14
AU17587/01A 1999-11-14 2000-11-10 Method for secure function execution by calling address validation Abandoned AU1758701A (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
IL132915 1999-11-14
IL13291599A IL132915A (en) 1999-11-14 1999-11-14 Method for secure function execution by calling address validation
US09561011 2000-04-28
US09/561,011 US6412071B1 (en) 1999-11-14 2000-04-28 Method for secure function execution by calling address validation
PCT/US2000/030812 WO2001037094A1 (en) 1999-11-14 2000-11-10 Method for secure function execution by calling address validation

Publications (1)

Publication Number Publication Date
AU1758701A true AU1758701A (en) 2001-05-30

Family

ID=26323903

Family Applications (1)

Application Number Title Priority Date Filing Date
AU17587/01A Abandoned AU1758701A (en) 1999-11-14 2000-11-10 Method for secure function execution by calling address validation

Country Status (5)

Country Link
EP (1) EP1236115A4 (en)
JP (1) JP2003515218A (en)
AU (1) AU1758701A (en)
CA (1) CA2390862A1 (en)
WO (1) WO2001037094A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003050660A1 (en) * 2001-12-12 2003-06-19 Schlumberger Systemes Method and system for module chaining control in a modular software architecture
JP2004126854A (en) * 2002-10-01 2004-04-22 Mitsubishi Electric Corp Attack countermeasure system
EP1507185A1 (en) * 2003-08-11 2005-02-16 Axalto S.A. Method and device for protecting against unauthorized access to a secure routine
FR2859548B1 (en) * 2003-09-09 2005-11-25 France Telecom METHOD OF MONITORING THE EXECUTION OF PROGRAMS ON A COMPUTER
NO20050564D0 (en) * 2005-02-02 2005-02-02 Tore Lysemose Hansen Program monitor to identify unauthorized intrusion into computer systems
EP2113859A4 (en) * 2007-02-21 2010-04-14 Nec Corp Computer, operation rule application method, and operating system
US20210216667A1 (en) 2020-01-10 2021-07-15 Acronis International Gmbh Systems and methods for protecting against unauthorized memory dump modification

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1561482A (en) * 1976-11-18 1980-02-20 Ibm Protection of data processing system against unauthorised programmes
DE69032649T2 (en) * 1989-08-01 1999-05-06 Silicon Graphics Inc Mountain FILE CHANGE MONITOR FOR COMPUTER, OPERATING AND FILE MANAGEMENT SYSTEMS
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor

Also Published As

Publication number Publication date
WO2001037094A1 (en) 2001-05-25
EP1236115A1 (en) 2002-09-04
EP1236115A4 (en) 2004-05-26
JP2003515218A (en) 2003-04-22
CA2390862A1 (en) 2001-05-25

Similar Documents

Publication Publication Date Title
US6412071B1 (en) Method for secure function execution by calling address validation
US8661541B2 (en) Detecting user-mode rootkits
US7779062B2 (en) System for preventing keystroke logging software from accessing or identifying keystrokes
US8719924B1 (en) Method and apparatus for detecting harmful software
CN103886252B (en) Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
US5974549A (en) Security monitor
RU2646352C2 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US20070050848A1 (en) Preventing malware from accessing operating system services
US8141154B2 (en) System and method for inspecting dynamically generated executable code
AU2006210698B2 (en) Intrusion detection for computer programs
US7934261B1 (en) On-demand cleanup system
US7797702B1 (en) Preventing execution of remotely injected threads
US20070250927A1 (en) Application protection
US10685110B2 (en) Detection of exploitative program code
US20130061323A1 (en) System and method for protecting against malware utilizing key loggers
US20070079375A1 (en) Computer Behavioral Management Using Heuristic Analysis
US8539578B1 (en) Systems and methods for defending a shellcode attack
US7284124B1 (en) Trust level based platform access regulation application
KR20180032566A (en) Systems and methods for tracking malicious behavior across multiple software entities
US9659173B2 (en) Method for detecting a malware
US7251735B2 (en) Buffer overflow protection and prevention
US20060053492A1 (en) Software tracking protection system
WO2001037095A1 (en) Method and system for intercepting an application program interface
EP2876572A1 (en) Firmware-level security agent supporting operating system-level security in computer system